Platform
python
Component
oauth2
Fixed in
1.9.1
1.9rc1
CVE-2013-4346 affects the python-oauth2 library, specifically its Server.verify_request function. This vulnerability allows attackers to perform replay attacks by exploiting the absence of nonce verification within signed URLs. Systems using python-oauth2 versions less than or equal to 1.5.211 are vulnerable. A fix is available in version 1.9rc1.
The primary impact of CVE-2013-4346 is the potential for replay attacks. An attacker can capture a valid, signed URL and resubmit it at a later time, effectively tricking the application into processing the request again. This could lead to unauthorized actions, such as granting access to resources, modifying data, or performing transactions without the user's knowledge or consent. The blast radius depends on the application's reliance on OAuth2 and the sensitivity of the data protected by it. If the application handles financial transactions or sensitive user data, the impact could be significant. This vulnerability shares similarities with other OAuth2 implementation flaws where proper nonce handling is missing, potentially leading to similar exploitation patterns.
CVE-2013-4346 was published on May 20, 2014. There is no indication of this CVE being listed on KEV or having an EPSS score. Public proof-of-concept (POC) code is not widely available, suggesting limited active exploitation. However, the vulnerability's nature makes it a potential target for opportunistic attackers.
Exploit Status
EPSS
0.47% (65% percentile)
CVSS Vector
The recommended mitigation for CVE-2013-4346 is to upgrade to version 1.9rc1 or later of the python-oauth2 library. If upgrading is not immediately feasible, consider implementing temporary workarounds. Strict URL validation should be enforced to ensure that only expected parameters are present and within acceptable ranges. Rate limiting can also help to mitigate the impact of replay attacks by limiting the number of requests from a single source within a given timeframe. Review OAuth2 configuration to ensure nonces are properly generated and verified. After upgrading, confirm the fix by attempting to replay a previously captured signed URL – it should be rejected.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2013-4346 is a HIGH severity vulnerability in python-oauth2 versions ≤1.5.211. It allows attackers to replay signed URLs due to missing nonce verification, potentially leading to unauthorized actions.
You are affected if your application uses python-oauth2 version 1.5.211 or earlier. Check your installed version using pip show python-oauth2.
Upgrade to version 1.9rc1 or later of python-oauth2. As a temporary measure, implement strict URL validation and rate limiting.
There is no widespread evidence of active exploitation, but the vulnerability's nature makes it a potential target for opportunistic attacks.
While a dedicated advisory might not exist, refer to the python-oauth2 project's repository and related discussions for information: https://github.com/SimpleGeo/python-oauth2
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.